RE: [eap] RE: [Isms] RADIUS is not a trusted third party

[Bernard Aboba <aboba@internaut.com>]

Martin Soukup said:

> The use of RADIUS itself without a defined extension such as EAP-TLS
> or EAP-PEAP over RADIUS cannot securely pass attributes between
> entities. Note that the defined EAP-TLS (or other EAP mechanisms)
> over RADIUS provides for secure attribute passing between entities
> even through proxies.

In response to which, Glen Zorn spake thusly:

> I thought that I was passing familiar w/EAP-TLS (and even more so
> w/PEAP), but I am completely unaware of such capabilities.  Would
> you mind explaining how this is achieved, given that RADIUS & EAP
> are completely different protocols?

I also was unaware of the ability of EAP-TLS to transmit RADIUS attributes
between the EAP peer and server.  I had always thought RADIUS was a
protocol only spoken between a NAS and a RADIUS server, and that EAP-TLS
didn't support transmission of TLVs.  But I guess this is a somewhat old
fashioned point of view.

Perhaps this is referring to EAP-TLS "extended" via the following?
http://www.ietf.org/internet-drafts/draft-funk-tls-inner-application-extension-01.txt



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>